P
US11469880B2ActiveUtilityPatentIndex 50

Data at rest encryption (DARE) using credential vault

Assignee: EMC IP HOLDING CO LLCPriority: Aug 20, 2020Filed: Aug 20, 2020Granted: Oct 11, 2022
Est. expiryAug 20, 2040(~14.1 yrs left)· nominal 20-yr term from priority
Inventors:PONNUSWAMY SENTHILJREIJ ELIEVINANTE MARCELOSHARMA ANURAG
H04L 9/0825G06F 11/1469H04L 9/3234H04L 9/0631G06F 21/78G06F 11/1451G06F 21/602H04L 9/0897
50
PatentIndex Score
0
Cited by
7
References
9
Claims

Abstract

A subset of data encryption keys are stored in plain text form in system memory of an information handling system. A master key and another subset of the data encryption keys are stored in a credential vault of the information handling system. The credential vault forms part of an out-of-band management platform and is protected by an AES key. A request is received for a data encryption key to decrypt a unit of data backed up to backup storage of the information handling system, the unit of data having been encrypted by the data encryption key, and the data encryption key having been encrypted by the master key and stored at the backup storage as an encrypted data encryption key. One or more locations are checked for the data encryption key. The one or more locations include the system memory, credential vault, and backup storage.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method comprising:
 storing a subset of a plurality of data encryption keys in a plain text form in a system memory of an information handling system; 
 storing a master key and another subset of the plurality of data encryption keys in a credential vault of the information handling system, separate from the system memory, the credential vault forming a part of an out-of-band management platform that is coupled to a host system processor of a host system of the information handling system, and contents of the credential vault being encrypted by an advanced encryption standard (AES) key; 
 receiving a request for a data encryption key to decrypt a unit of data backed up to backup storage of the information handling system, the unit of data having been encrypted by the data encryption key, and the data encryption key having been encrypted by the master key and stored at the backup storage as an encrypted data encryption key; 
 checking one or more of a plurality of locations for the data encryption key, the plurality of locations comprising the system memory, the credential vault, and the backup storage; and 
 returning a plain text form of the data encryption key in response to the request, wherein when the data encryption key has been found at the backup storage, the data encryption key is decrypted using the master key, and added to the credential vault and the system memory, wherein the checking for the data encryption key comprises: 
 checking the system memory; 
 if the data encryption key is found in the system memory, determining that the data encryption key does not have to be decrypted because a plain text form of the data encryption key has been found; 
 if the data encryption key is not found in the system memory, checking the credential vault; 
 if the data encryption key is found in the credential vault, decrypting the data encryption key using the AES key associated with the credential vault; and 
 if the data encryption key is not found in the credential vault,
 retrieving the master key from the credential vault, the master key having been wrapped by a trusted platform module (TMP); 
 requesting that the TMP unwrap the master key; 
 retrieving the data encryption key from the backup storage, the retrieved data encryption key being encrypted using the master key; and 
 decrypting the retrieved data encryption key using the master key to return the plain text form of the data encryption key. 
 
 
     
     
       2. The method of  claim 1  wherein the checking for the data encryption key comprises:
 checking the system memory; 
 after checking the system memory, checking the credential vault; and 
 after the checking the system memory and the credential vault, checking the backup storage. 
 
     
     
       3. The method of  claim 1  further comprising:
 configuring a first threshold percent value defining a maximum percentage of the plurality of data encryption keys allowed to be stored in plain text form in the system memory; and 
 configuring a second threshold percent value defining a maximum percentage of the plurality of data encryption keys allowed to be stored in the credential vault. 
 
     
     
       4. A system comprising: a processor; and memory configured to store one or more sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of:
 storing a subset of a plurality of data encryption keys in a plain text form in a system memory of an information handling system; 
 storing a master key and another subset of the plurality of data encryption keys in a credential vault of the information handling system, separate from the system memory, the credential vault forming a part of an out-of-band management platform that is coupled to a host system processor of a host system of the information handling system, and contents of the credential vault being encrypted by an advanced encryption standard (AES) key; 
 receiving a request for a data encryption key to decrypt a unit of data backed up to backup storage of the information handling system, the unit of data having been encrypted by the data encryption key, and the data encryption key having been encrypted by the master key and stored at the backup storage as an encrypted data encryption key; 
 checking one or more of a plurality of locations for the data encryption key, the plurality of locations comprising the system memory, the credential vault, and the backup storage; and 
 returning a plain text form of the data encryption key in response to the request, wherein when the data encryption key has been found at the backup storage, the data encryption key is decrypted using the master key, and added to the credential vault and the system memory, wherein the checking for the data encryption key comprises: 
 checking the system memory; 
 if the data encryption key is found in the system memory, determining that the data encryption key does not have to be decrypted because a plain text form of the data encryption key has been found; 
 if the data encryption key is not found in the system memory, checking the credential vault; 
 if the data encryption key is found in the credential vault, decrypting the data encryption key using the AES key associated with the credential vault; and 
 if the data encryption key is not found in the credential vault,
 retrieving the master key from the credential vault, the master key having been wrapped by a trusted platform module (TMP); 
 requesting that the TMP unwrap the master key; 
 retrieving the data encryption key from the backup storage, the retrieved data encryption key being encrypted using the master key; and 
 decrypting the retrieved data encryption key using the master key to return the plain text form of the data encryption key. 
 
 
     
     
       5. The system of  claim 4  wherein the checking for the data encryption key comprises:
 checking the system memory; 
 after checking the system memory, checking the credential vault; and 
 after the checking the system memory and the credential vault, checking the backup storage. 
 
     
     
       6. The system of  claim 4  wherein the processor further carries out the steps of:
 configuring a first threshold percent value defining a maximum percentage of the plurality of data encryption keys allowed to be stored in plain text form in the system memory; and 
 configuring a second threshold percent value defining a maximum percentage of the plurality of data encryption keys allowed to be stored in the credential vault. 
 
     
     
       7. A computer program product, comprising a non-transitory computer-readable medium having a computer-readable program code embodied therein, the computer-readable program code adapted to be executed by one or more processors to implement a method comprising:
 storing a subset of a plurality of data encryption keys in a plain text form in a system memory of an information handling system; 
 storing a master key and another subset of the plurality of data encryption keys in a credential vault of the information handling system, separate from the system memory, the credential vault forming a part of an out-of-band management platform that is coupled to a host system processor of a host system of the information handling system, and contents of the credential vault being encrypted by an advanced encryption standard (AES) key; 
 receiving a request for a data encryption key to decrypt a unit of data backed up to backup storage of the information handling system, the unit of data having been encrypted by the data encryption key, and the data encryption key having been encrypted by the master key and stored at the backup storage as an encrypted data encryption key; 
 checking one or more of a plurality of locations for the data encryption key, the plurality of locations comprising the system memory, the credential vault, and the backup storage; and 
 returning a plain text form of the data encryption key in response to the request, wherein when the data encryption key has been found at the backup storage, the data encryption key is decrypted using the master key, and added to the credential vault and the system memory, wherein the checking for the data encryption key comprises: 
 checking the system memory; 
 if the data encryption key is found in the system memory, determining that the data encryption key does not have to be decrypted because a plain text form of the data encryption key has been found; 
 if the data encryption key is not found in the system memory, checking the credential vault; 
 if the data encryption key is found in the credential vault, decrypting the data encryption key using the AES key associated with the credential vault; and 
 if the data encryption key is not found in the credential vault,
 retrieving the master key from the credential vault, the master key having been wrapped by a trusted platform module (TMP); 
 
 requesting that the TMP unwrap the master key;
 retrieving the data encryption key from the backup storage, the retrieved data encryption key being encrypted using the master key; and 
 decrypting the retrieved data encryption key using the master key to return the plain text form of the data encryption key. 
 
 
     
     
       8. The computer program product of  claim 7  wherein the checking for the data encryption key comprises:
 checking the system memory; 
 after checking the system memory, checking the credential vault; and 
 after the checking the system memory and the credential vault, checking the backup storage. 
 
     
     
       9. The computer program product of  claim 7  wherein the method further comprises:
 configuring a first threshold percent value defining a maximum percentage of the plurality of data encryption keys allowed to be stored in plain text form in the system memory; and 
 configuring a second threshold percent value defining a maximum percentage of the plurality of data encryption keys allowed to be stored in the credential vault.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.